If you're a business continuity professional, there are two standards at the top of your list when building and updating a BC plan: The International Organization for Standardization's ISO 22301:2019, Security and Resilience -- Business Continuity Management Systems -- Requirements; and the Federal Financial Institutions Examination Council's FFIEC Business Continuity Management handbook.
At a fundamental level, both documents provide a detailed outline of the components of a business continuity management system (BCMS) or plan. The ISO standard is higher level because it specifies requirements for a BCMS, while the FFIEC standard provides more actionable detail for preparing BC plans. The ISO standard addresses all kinds of businesses, while the FFIEC standard is optimized for banks and other financial institutions, though it can also be used effectively in non-financial applications.
More similarities than differences
Both standards have companion documents that provide additional value to BC professionals. ISO 22313:2012, Societal Security -- Business Continuity Management Systems -- Guidance, provides additional details on the requirements stated in ISO 22301:2019. The FFIEC also publishes a work program that helps professionals prepare for the business continuity program examination the FFIEC administers. Both documents provide valuable details and guidance for preparing BC plans and performing related activities such as risk assessments, business impact analyses and tabletop exercises.
From an audit perspective, both business continuity standards can serve as audit controls and can be formatted into audit worksheets. In addition, the FFIEC work program is structured so that each requirement includes a series of questions that organizations can use as both audit controls and also for performing gap analyses. This is a very important value of both standards and their companion documents.
The FFIEC handbook is optimized for banks and other financial institutions, while the ISO standard can be used for almost any vertical market. Financial organizations can focus on the FFIEC standard and use the ISO standard as an available backup. By contrast, non-financial organizations can effectively use either standard for planning, review and auditing. The FFIEC work program can also serve as a useful gap assessment tool.
The two business continuity standards are structured differently but still address the same fundamental issues. The FFIEC document includes financial industry-specific situations, such as payment systems, liquidity considerations and preparing for national and regional financial industry exercises. The FFIEC also discusses recovery of data centers, which is an important consideration for financial organizations.
Tips for using the standards
Each standard and its companion documents provide useful information for preparing BC plans and for organizing a BCMS. Best practices for effectively using either standard include the following:
- Determine if you are updating an existing plan/program or creating a new plan/program before selecting a standard.
- For financial institutions, use the FFIEC handbook as the primary document, with ISO as an alternate or for additional detail.
- For most other organizations, start with the ISO standard and refer to the FFIEC handbook for additional detail.
- Either standard can serve as an effective audit control document, both for planning and executing the business continuity audit and for preparing the work papers and final report.
- Use the FFIEC work program document when planning a gap analysis; it provides an effective starting point, and you can add more criteria as needed.
- The FFIEC has a detailed section on planning and performing BC-related exercises, so take advantage of that.
- Both documents have detailed bibliographies that provide comprehensive lists of other relevant sources for planning and development.
- Companion documents provide useful guidance for filling in any knowledge gaps that may exist in the standards.
Both ISO 22301:2019 and the FFIEC BC handbook provide detailed information on business continuity standards and the associated requirements. Their companion documents provide useful guidance and knowledge to support the standards and their frameworks. If possible, the best strategy is to have both sets available to ensure you cover all the bases.